France’s data protection watchdog CNIL has slapped Google with a fine of €50 million (almost US$57 million) for what the authority views as the tech giant’s failure to adhere to its obligations that stem from the European Union’s (EU) data protection rules.

As per its statement, a committee of La Commission nationale de l'informatique et des libertés (CNIL) has concluded that Google’s violation of the EU’s General Data Protection Regulation (GDPR) has to do with a "lack of transparency, inadequate information and lack of valid consent regarding the ads personalization".

Based on its “online inspections” into how Google handles user data when Android users configure their new smartphones, the privacy regulator found that Google’s non-compliance with the GDPR comes, in fact, in two forms:

First, the tech giant fails to provide users with transparent and comprehensive information about how it handles user data, according to the CNIL.

“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents,” said the CNIL, before adding that such information is only available after several extra steps that in some cases may imply five or six individual actions.

Moreover, “the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes”, according to the authority.

Second, the CNIL said that the user’s consent with the processing of their data for ads personalization is not obtained validly. In addition to diluting the relevant information across multiple documents, Google makes the consent flow neither unambiguous nor specific, said the regulator.

For consent to be unambiguous, “a clear affirmative action from the user” is required, noted the CNIL. At the same time, consent is specific “only if it is given distinctly for each purpose”. However, by pre-ticking the option for ad personalization and by consent bundling, Google was found to run afoul of the GDPR.

The CNIL said that this is not “a one-off, time-limited, infringement” of the GDPR as the violations are still observed to date.

National authorities in the EU have issued several fines under the GDPR since the regulation came into effect on May 25, 2018, including against a Portuguese hospital last October and against a German chat site in the following month. However, the fine imposed on Google is by far the biggest under the new regime. The law provides for fines of up to four percent of a company’s annual global turnover for serious offenses.

How it started

The CNIL’s probe was launched in response to two complaints that two privacy advocacy groups filed against Google and several other tech giants on May 25 and 28, 2018, respectively. Google, for one, was accused by None Of Your Business (Noyb) and La Quadrature du Net of “not having a valid legal basis to process the personal data of users of its services, particularly for ads personalization purposes”. The complaints against the other major online services remain pending.

Even though Google’s European headquarters is in Dublin, the CNIL concluded that the company’s Irish office doesn’t have the final say as far as the data processing of Android users is concerned. This is why the issue remained in the hands of the French authority, rather than being sent over to the Irish Data Protection Commission (DPC), which is Google’s lead supervisory authority in the EU.

Meanwhile, a Google spokesperson had this to say in response to the penalty (as per the BBC): "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR."